DOCSLIB.ORG

CS 6110 S18 Lecture 17 Predicate Transformers 1 Relative Completeness 2 Weakest Preconditions 3 Weakest Liberal Preconditions

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CS 6110 S18 Lecture 17 Predicate Transformers 1 Relative Completeness 2 Weakest Preconditions 3 Weakest Liberal Preconditions CS 6110 S18 Lecture 17 Predicate Transformers 1 Relative Completeness In the last lecture, we discussed the issue of completeness|i.e., whether it is possible to derive every valid partial correctness specification using the axioms and rules of Hoare logic. Unfortunately, if treated as a pure deductive system, Hoare logic cannot be complete. To see why, consider the following partial correctness specifications: ftrueg skip fP g ftrueg c ffalseg The first is valid if and only if the assertion P is valid while the second is valid if and only if the command c does not halt. It turns out that the culprit is the weakening rule, which includes premises involving the validity of implica- tions between the assertions involved: ' ) '0 f'0gcf 0g 0 ) (weakening) . f'gcf g Although we cannot have a complete proof system for first-order formulas, Hoare logic does enjoy the property stated in the following theorem: Theorem 1. 8'; ; c: f'g c f g implies ` f'g c f g: This result, due to Cook (1974), is known as the relative completeness of Hoare logic. It says that Hoare logic is no more incomplete than the language of assertions|i.e., if we had an oracle that could decide the validity of assertions, then we could decide the validity of partial correctness specifications. 2 Weakest Preconditions Given a program s and a postcondition ', the weakest property of the input state that guarantees that s halts in a state satisfying ', if it exists, is called the weakest precondition of s and ' and is denoted wp s '. This says that • wp s ' implies that s terminates in a state satisfying ' (wp s ' is a precondition of s and '), • if is any other condition that implies that s terminates in a state satisfying ', then ) wp s ' (wp s ' is the weakest precondition of s and '). As in the λ-calculus, juxtaposition represents function application, so wp can be viewed as a higher-order function that takes a program s and a postcondition ' and returns the weakest precondition of s and '. The function wp can also be viewed as taking a program and returning a function that maps postconditions to preconditions. For this reason, axiomatic semantics is sometimes known as predicate transformer semantics. 3 Weakest Liberal Preconditions Cook's proof of relative completeness depends on the notion of weakest liberal preconditions. Given a com- mand c and a postcondition the weakest liberal precondition is the weakest assertion ' such that f'g c f g 1 is a valid triple. Here, \weakest" means that any other valid precondition implies '. That is, ' most accurately describes input states for which c either does not terminate or ends up in a state satisfying . Formally, an assertion ' is a weakest liberal precondition of c and if: 8σ; I: σ I ' () (C c σ) undefined _ (C c σ) I J K J K We write wlp(c; ) for the weakest liberal precondition of command c and postcondition . From left-to-right, the formula above states that wlp(c; ) is a valid precondition: f'g c f g. The right-to-left implication says it is the weakest valid precondition: if another assertion R satisfies fRg c f g, then R implies '. It can be shown that weakest liberal preconditions are unique modulo equivalence. We can calculate the weakest liberal precondition of a command as follows: wlp(skip;') = ' wlp((x := a; ') = '[a=x] wlp((c1; c2);') = wlp(c1; wlp(c2;')) wlp(if b then c1 else c2;') = (b =) wlp(c1;')) ^ (:b =) wlp(c2;')) The definition of wlp(whilebdoc; ') is slightly more complicated|it encodes the weakest liberal precondition for each iteration of the loop. To give the intuition, first define the weakest liberal precondition for a loop that termintes in i steps as follows: F0(') = true Fi+1(') = (:b =) ') ^ (b =) wlp(c; Fi('))) We can then express the weakest liberal precondition using an infinitary conjunction: ^ wlp(while b do c; ') = Fi(') i See Winskel Chapter 7 for the details of how to encode the weakest liberal precondition for a while loop as an ordinary assertion. To check that our definition is correct, we can prove (how?) that it yields a valid partial correctness specification: Lemma 2. 8c; : fwlp(c; )g c f g and 8ρ. fρg c f g implies (ρ =) wlp(c; )) It is not hard to prove that it also yields a provable specification: Lemma 3. 8c; : ` fwlp(c; )g c f g Relative completeness follows by a simple argument: Proof Sketch. Let c be a command and let P and be assertions such that the partial correctness specification fP g c f g is valid. By Lemma 2 we have P =) wlp(c; ). By Lemma 3 we have ` fwlp(c; )g c f g. We conclude ` fP g c f g using weakening. 2.
Load more

Recommended publications
  • Constructive Design of a Hierarchy of Semantics of a Transition System by Abstract Interpretation
    1 Constructive Design of a Hierarchy of Semantics of a Transition System by Abstract Interpretation Patrick Cousota aD´epartement d’Informatique, Ecole´ Normale Sup´erieure, 45 rue d’Ulm, 75230 Paris cedex 05, France, [email protected], http://www.di.ens.fr/~cousot We construct a hierarchy of semantics by successive abstract interpretations. Starting from the maximal trace semantics of a transition system, we derive the big-step seman- tics, termination and nontermination semantics, Plotkin’s natural, Smyth’s demoniac and Hoare’s angelic relational semantics and equivalent nondeterministic denotational se- mantics (with alternative powerdomains to the Egli-Milner and Smyth constructions), D. Scott’s deterministic denotational semantics, the generalized and Dijkstra’s conser- vative/liberal predicate transformer semantics, the generalized/total and Hoare’s partial correctness axiomatic semantics and the corresponding proof methods. All the semantics are presented in a uniform fixpoint form and the correspondences between these seman- tics are established through composable Galois connections, each semantics being formally calculated by abstract interpretation of a more concrete one using Kleene and/or Tarski fixpoint approximation transfer theorems. Contents 1 Introduction 2 2 Abstraction of Fixpoint Semantics 3 2.1 Fixpoint Semantics ............................... 3 2.2 Fixpoint Semantics Approximation ...................... 4 2.3 Fixpoint Semantics Transfer .......................... 5 2.4 Semantics Abstraction ............................. 7 2.5 Fixpoint Semantics Fusion ........................... 8 2.6 Fixpoint Iterates Reordering .......................... 8 3 Transition/Small-Step Operational Semantics 9 4 Finite and Infinite Sequences 9 4.1 Sequences .................................... 9 4.2 Concatenation of Sequences .......................... 10 4.3 Junction of Sequences ............................. 10 5 Maximal Trace Semantics 10 2 5.1 Fixpoint Finite Trace Semantics .......................
    [Show full text]
  • Verification of Concurrent Programs in Dafny
    Bachelor’s Degree in Informatics Engineering Computation Bachelor’s End Project Verification of Concurrent Programs in Dafny Author Jon Mediero Iturrioz 2017 Abstract This report documents the Bachelor’s End Project of Jon Mediero Iturrioz for the Bachelor in Informatics Engineering of the UPV/EHU. The project was made under the supervision of Francisca Lucio Carrasco. The project belongs to the domain of formal methods. In the project a methodology to prove the correctness of concurrent programs called Local Rely-Guarantee reasoning is analyzed. Afterwards, the methodology is implemented over Dagny automatic program verification tool, which was introduced to me in the Formal Methods for Software Devel- opments optional course of the fourth year of the bachelor. In addition to Local Rely-Guarantee reasoning, in the report Hoare logic, Separation logic and Variables as Resource logic are explained, in order to have a good foundation to understand the new methodology. Finally, the Dafny implementation is explained, and some examples are presented. i Acknowledgments First of all, I would like to thank to my supervisor, Paqui Lucio Carrasco, for all the help and orientation she has offered me during the project. Lastly, but not least, I would also like to thank my parents, who had supported me through all the stressful months while I was working in the project. iii Contents Abstracti Contentsv 1 Introduction1 1.1 Objectives..................................3 1.2 Work plan..................................3 1.3 Content...................................4 2 Foundations5 2.1 Hoare Logic.................................5 2.1.1 Assertions..............................5 2.1.2 Programming language.......................7 2.1.3 Inference rules...........................9 2.1.4 Recursion.............................
    [Show full text]
  • Towards a Unified Theory of Operational and Axiomatic Semantics — Extended Abstract —
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Illinois Digital Environment for Access to Learning and Scholarship Repository Towards a Unified Theory of Operational and Axiomatic Semantics — Extended Abstract — Grigore Ros¸u and Andrei S¸tefanescu˘ Department of Computer Science, University of Illinois at Urbana-Champaign fgrosu, [email protected] Abstract. This paper presents a nine-rule language-independent proof system that takes an operational semantics as axioms and derives program properties, including ones corresponding to Hoare triples. This eliminates the need for language-specific Hoare-style proof rules in order to verify programs, and, implicitly, the tedious step of proving such proof rules sound for each language separately. The key proof rule is Circularity, which is coinductive in nature and allows for reasoning about constructs with repetitive behaviors (e.g., loops). The generic proof system is shown sound and has been implemented in the MatchC program verifier. 1 Introduction An operational semantics defines a formal executable model of a language typically in terms of a transition relation cfg ) cfg0 between program configurations, and can serve as a formal basis for language understanding, design, and implementation. On the other hand, an axiomatic semantics defines a proof system typically in terms of Hoare triples f g code f 0g, and can serve as a basis for program reasoning and verification. Operational semantics are well-understood and comparatively easier to define than axiomatic semantics for complex languages. More importantly, operational semantics are typically executable, and thus testable. For example, we can test them by executing the program benchmarks that compiler testers use, as has been done with the operational semantics of C [5].
    [Show full text]
  • Axiomatic Semantics
    Advanced Topics in Programming Languages Spring Semester, 2012 Lecture 6: April 24, 2012 Lecturer: Mooly Sagiv Scribe: Michal Balas and Yair Asa Axiomatic Semantics 6.1 The basic idea The problem we would like to solve is how to prove that a program does what we require of it. Given a program, we specify its required behavior based on our intuitive understanding of it. We can run it according to the operational semantics or denotational semantics and compare to its behavior there. For some programs we need to be more abstract (for example programs that receive input), and then it is necessary to use some logic to reason about the program (and how it behaves on a set of inputs and not in one specific execution path). In this case we may eventually develop a formal proof system for properties of the program or showing that it satisfies a requirement. We can then use the proof system to show correctness. These rules of the proof system are called Hoare or Floyd-Hoare rules. Floyd-rules are for flow-charts and Hoare-rules are for structured languages. Originally their approach was advocated not just for proving properties of programs but also giving a method for explaining the meaning of program. The meaning of a program was specified in terms of \axioms" saying how to prove properties of it, in other words it is given by a set of verification rules. Therefore, this approach was named axiomatic semantics. Axiomatic semantics has many applications, such as: Program verifiers • Symbolic execution tools for bug hunting • Software validation tools • Malware detection • Automatic test generation • It is also used for proving the correctness of algorithms or hardware descriptions, \extended static checking (e.g., checking array bounds), and documenting programs and interfaces.
    [Show full text]
  • Making Classes Provable Through Contracts, Models and Frames
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by CiteSeerX DISS. ETH NO. 17610 Making classes provable through contracts, models and frames A dissertation submitted to the SWISS FEDERAL INSTITUTE OF TECHNOLOGY ZURICH (ETH Zurich)¨ for the degree of Doctor of Sciences presented by Bernd Schoeller Diplom-Informatiker, TU Berlin born April 5th, 1974 citizen of Federal Republic of Germany accepted on the recommendation of Prof. Dr. Bertrand Meyer, examiner Prof. Dr. Martin Odersky, co-examiner Prof. Dr. Jonathan S. Ostroff, co-examiner 2007 ABSTRACT Software correctness is a relation between code and a specification of the expected behavior of the software component. Without proper specifica- tions, correct software cannot be defined. The Design by Contract methodology is a way to tightly integrate spec- ifications into software development. It has proved to be a light-weight and at the same time powerful description technique that is accepted by software developers. In its more than 20 years of existence, it has demon- strated many uses: documentation, understanding object-oriented inheri- tance, runtime assertion checking, or fully automated testing. This thesis approaches the formal verification of contracted code. It conducts an analysis of Eiffel and how contracts are expressed in the lan- guage as it is now. It formalizes the programming language providing an operational semantics and a formal list of correctness conditions in terms of this operational semantics. It introduces the concept of axiomatic classes and provides a full library of axiomatic classes, called the mathematical model library to overcome prob- lems of contracts on unbounded data structures.
    [Show full text]
  • Transforming Event-B Models to Dafny Contracts
    Electronic Communications of the EASST Volume XXX (2015) Proceedings of the 15th International Workshop on Automated Verification of Critical Systems (AVoCS 2015) Transforming Event-B Models to Dafny Contracts Mohammadsadegh Dalvandi, Michael Butler, Abdolbaghi Rezazadeh 15 pages Guest Editors: Gudmund Grov, Andrew Ireland Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 ECEASST Transforming Event-B Models to Dafny Contracts Mohammadsadegh Dalvandi1, Michael Butler2, Abdolbaghi Rezazadeh3 School of Electronic & Computer Science, University of Southampton 1 2 3 md5g11,mjb,[email protected] Abstract: Our work aims to build a bridge between constructive (top-down) and analytical (bottom-up) approaches to software verification. This paper presents a tool-supported method for linking two existing verification methods: Event-B (con- structive) and Dafny (analytical). This method combines Event-B abstraction and refinement with the code-level verification features of Dafny. The link transforms Event-B models to Dafny contracts by providing a framework in which Event-B models can be implemented correctly. The paper presents a method for transforma- tion of Event-B models of abstract data types to Dafny contracts. Also a prototype tool implementing the transformation method is outlined. The paper also defines and proves a formal link between property verification in Event-B and Dafny. Our approach is illustrated with a small case study. Keywords: Formal Methods, Hoare Logic, Program Verification, Event-B, Dafny 1 Introduction Various formal methods communities [CW96, HMLS09, LAB+06] have suggested that no single formal method can cover all aspects of a verification problem therefore engineering bridges be- tween complementary verification tools to enable their effective interoperability may increase the verification capabilities of verification tools.
    [Show full text]
  • Verification and Specification of Concurrent Programs
    Verification and Specification of Concurrent Programs Leslie Lamport 16 November 1993 To appear in the proceedings of a REX Workshop held in The Netherlands in June, 1993. Verification and Specification of Concurrent Programs Leslie Lamport Digital Equipment Corporation Systems Research Center Abstract. I explore the history of, and lessons learned from, eighteen years of assertional methods for specifying and verifying concurrent pro- grams. I then propose a Utopian future in which mathematics prevails. Keywords. Assertional methods, fairness, formal methods, mathemat- ics, Owicki-Gries method, temporal logic, TLA. Table of Contents 1 A Brief and Rather Biased History of State-Based Methods for Verifying Concurrent Systems .................. 2 1.1 From Floyd to Owicki and Gries, and Beyond ........... 2 1.2Temporal Logic ............................ 4 1.3 Unity ................................. 5 2 An Even Briefer and More Biased History of State-Based Specification Methods for Concurrent Systems ......... 6 2.1 Axiomatic Specifications ....................... 6 2.2 Operational Specifications ...................... 7 2.3 Finite-State Methods ........................ 8 3 What We Have Learned ........................ 8 3.1 Not Sequential vs. Concurrent, but Functional vs. Reactive ... 8 3.2Invariance Under Stuttering ..................... 8 3.3 The Definitions of Safety and Liveness ............... 9 3.4 Fairness is Machine Closure ..................... 10 3.5 Hiding is Existential Quantification ................ 10 3.6 Specification Methods that Don’t Work .............. 11 3.7 Specification Methods that Work for the Wrong Reason ..... 12 4 Other Methods ............................. 14 5 A Brief Advertisement for My Approach to State-Based Ver- ification and Specification of Concurrent Systems ....... 16 5.1 The Power of Formal Mathematics ................. 16 5.2Specifying Programs with Mathematical Formulas ........ 17 5.3 TLA .................................
    [Show full text]
  • The Monastic Rules of Visigothic Iberia: a Study of Their Text and Language
    THE MONASTIC RULES OF VISIGOTHIC IBERIA: A STUDY OF THEIR TEXT AND LANGUAGE By NEIL ALLIES A thesis submitted to The University of Birmingham for the degree of DOCTOR OF PHILOSOPHY Department of Theology and Religion College of Arts and Law The University of Birmingham July 2009 University of Birmingham Research Archive e-theses repository This unpublished thesis/dissertation is copyright of the author and/or third parties. The intellectual property rights of the author or third parties in respect of this work are as defined by The Copyright Designs and Patents Act 1988 or as modified by any successor legislation. Any use made of information contained in this thesis/dissertation must be in accordance with that legislation and must be properly acknowledged. Further distribution or reproduction in any format is prohibited without the permission of the copyright holder. Abstract This thesis is concerned with the monastic rules that were written in seventh century Iberia and the relationship that existed between them and their intended, contemporary, audience. It aims to investigate this relationship from three distinct, yet related, perspectives: physical, literary and philological. After establishing the historical and historiographical background of the texts, the thesis investigates firstly the presence of a monastic rule as a physical text and its role in a monastery and its relationship with issues of early medieval literacy. It then turns to look at the use of literary techniques and structures in the texts and their relationship with literary culture more generally at the time. Finally, the thesis turns to issues of the language that the monastic rules were written in and the relationship between the spoken and written registers not only of their authors, but also of their audiences.
    [Show full text]
  • Specifying Loops with Contracts Reasoning About Loops As Recursive Procedures
    Chair for Software Systems Institute for Informatics LMU Munich Bachelor Thesis in Computer Science: Specifying Loops With Contracts Reasoning about loops as recursive procedures Gregor Cassian Alexandru August 8, 2019 I dedicate this work to the memory of Prof. Martin Hofmann, who was an amazing teacher and inspiration, and left us all too soon. Hiermit versichere ich, dass ich die vorliegende Bachelorarbeit selbstständig verfasst und keine anderen als die angegebenen Quellen und Hilfsmittel verwendet habe. ............................................... (Unterschrift des Kandidaten) München, den 8. August 2019 5 Abstract Recursive procedures can be inductively verified to fulfill some contract, by assuming that contract for recursive calls. Since loops correspond essentially to linear recursion, they ought to be verifiable in an analogous manner. Rules that allow this have been proposed, but are incomplete in some aspect, or do not lend themselves to straight- forward implementation. We propose some implementation-oriented derivatives of the existing verification rules and further illustrate the advantages of contract-based loop specification by means of examples. Contents 1 Introduction 11 2 Motivating Example 12 2.1 Verification using an Invariant . 12 2.2 Using a local Recursive Procedure . 13 2.3 Comparison . 15 3 Preliminaries 16 4 Predicate transformer semantics 17 4.1 Prerequisites . 17 4.2 Loop specification rule for weakest precondition . 20 4.3 Soundness proof . 20 4.4 Context-aware rule . 22 4.5 Rules in strongest postcondition . 22 5 Rules in Hoare Logic 24 5.1 Preliminaries . 24 5.2 Loop specification rule in Hoare logic . 25 6 Implementation 26 7 Example Application to Textbook Algorithms 29 7.1 Euclid’s algorithm .
    [Show full text]
  • KAT and Hoare Logic
    Introduction to Kleene Algebra Lecture 14 CS786 Spring 2004 March 15, 2004 KAT and Hoare Logic In this lecture and the next we show that KAT subsumes propositional Hoare logic (PHL). Thus the specialized syntax and deductive apparatus of Hoare logic are inessential and can be replaced by simple equational reasoning. Moreover, all relationally valid Hoare-style inference rules are derivable in KAT (this is false for PHL). The results of this lecture are from [8, 7]. In a future lecture we will show that deciding the relational validity of such rules is PSPACE-complete. Hoare logic, introduced by C. A. R. Hoare in 1969 [6], was the first formal system for the specification and verification of well-structured programs. This pioneering work initiated the field of program correctness and inspired dozens of technical articles [2, 1, 3]. For this achievement among others, Hoare received the Turing Award in 1980. A comprehensive introduction to Hoare logic can be found in [3]. Hoare logic uses a specialized syntax involving partial correctness assertions (PCAs) of the form {b} p {c} and a deductive apparatus consisting of a system of specialized rules of inference. Under certain conditions, these rules are relatively complete [2]; essentially, the propositional fragment of the logic can be used to reduce partial correctness assertions to static assertions about the underlying domain of computation. The propositional fragment of Hoare logic, called propositional Hoare logic (PHL), is subsumed by KAT. The reduction transforms PCAs to ordinary equations and the specialized rules of inference to equational implications (universal Horn formulas). The transformed rules are all derivable in KAT by pure equational reasoning.
    [Show full text]
  • Chapter 1 Introduction
    Chapter Intro duction A language is a systematic means of communicating ideas or feelings among people by the use of conventionalized signs In contrast a programming lan guage can be thought of as a syntactic formalism which provides ameans for the communication of computations among p eople and abstract machines Elements of a programming language are often called programs They are formed according to formal rules which dene the relations between the var ious comp onents of the language Examples of programming languages are conventional languages likePascal or C and also the more the oretical languages such as the calculus or CCS A programming language can b e interpreted on the basis of our intuitive con cept of computation However an informal and vague interpretation of a pro gramming language may cause inconsistency and ambiguity As a consequence dierent implementations maybegiven for the same language p ossibly leading to dierent sets of computations for the same program Had the language in terpretation b een dened in a formal way the implementation could b e proved or disproved correct There are dierent reasons why a formal interpretation of a programming language is desirable to give programmers unambiguous and p erhaps informative answers ab out the language in order to write correct programs to give implementers a precise denition of the language and to develop an abstract but intuitive mo del of the language in order to reason ab out programs and to aid program development from sp ecications Mathematics often emphasizes
    [Show full text]
  • Symbolic Execution
    Symbolic Execution CS252r Spring 2011 Contains content from slides by Jeff Foster Static analysis •Static analysis allows us to reason about all possible executions of a program •Gives assurance about any execution, prior to deployment •Lots of interesting static analysis ideas and tools •But difficult for developers to use •Commercial tools spend a lot of effort dealing with developer confusion, false positives, etc. • See A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World in CACM 53(2), 2010 ‣http://bit.ly/aedM3k © 2011 Stephen Chong, Harvard University 2 One issue is abstraction •Abstraction lets us scale and model all possible runs •But must be conservative •Try to balance precision and scalability • Flow-sensitive, context-sensitive, path-sensitivity, … •And static analysis abstractions do not cleanly match developer abstractions © 2011 Stephen Chong, Harvard University 3 Testing •Fits well with developer intuitions •In practice, most common form of bug-detection •But each test explores only one possible execution of the system •Hopefully, test cases generalize © 2011 Stephen Chong, Harvard University 4 Symbolic execution •King, CACM 1976. •Key idea: generalize testing by using unknown symbolic variables in evaluation •Symbolic executor executes program, tracking symbolic state. •If execution path depends on unknown, we fork symbolic executor •at least, conceptually © 2011 Stephen Chong, Harvard University 5 SymbolicSymbolicSymbolic Execution Execution execution ExampleExample example WhyWhy Is Is This This Possible? Possible? x=0, y=0, z=0 • There are very powerful SMT/SAT solvers today 1.1.intint a a= =α α, b, b= = β β, ,c c = = γ γ;; x=0, y=0, z=0 • There are very powerful SMT/SAT solvers today 2.2.
    [Show full text]